CVE-2020-13792

Name of the Vulnerable Software and Affected Versions PlayTube version 1.8

Description The issue allows disclosure of user details via directory traversal, also known as local file inclusion, using the "ajax.php" endpoint with specific parameters. The "type" and "page" parameters are used to access unauthorized files, such as the "manage-users" page in the "admin-panel/autoload" directory. For example, the endpoint "/ajax.php?type=../admin-panel/autoload&page=manage-users" can be exploited.

Recommendations For PlayTube version 1.8, as a temporary workaround, consider restricting access to the "ajax.php" endpoint or disabling the type and page parameters to minimize the risk of exploitation. Additionally, avoid using the page parameter with sensitive values, such as "manage-users", in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.